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MongoDB Authentication (VM, PC, SCA) 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts, the most accurate results and 
fewer false positives. This document provides tips and best practices for setting up MongoDB 
authentication for compliance scans. 


A few things to consider 


Why should | use authentication? 


With authentication we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in we can do more thorough testing. This will give you better 
visibility into each system ’s security posture. Is it required? Yes, required for compliance scans. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ ACCESS ONLY to your system. The service does 
not modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 
For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 


What are the steps? 


First, set up a MongoDB user account and privileges (on target hosts) for authenticated scanning. 
Then, using Qualys Policy Compliance, complete these steps: 1) Add a MongoDB authentication 
record, 2) Launch a compliance scan, and 3) Run the Authentication Report to view the 
authentication status (Passed or Failed) for each scanned host. 


MongoDB Credentials 


We've provided a set of scripts below to help you set up an account and privileges which must 
exist prior to running scans. Note - These scripts require a super-user account which has 
privilege to createRole, createUser and grantRole. For example, accounts with userAdmin or 
dbOwner role. 


Please run the scripts provided, in the order shown. The role and scan account needs to be 
created in the admin database to run successfully. 
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1) Create a Role for the Scan Account within the ‘MongoDB’ Database 


This script creates a role for the user account to be used for scanning. It also grants privileges to 
the role needed for successful authentication and compliance scanning. We recommend 
creating a role called qualys_Role and provide a password before running the script. 


use admin 
db.createRole ( 
{ 


role: "qualys Role", 
privileges: [ 
resource: { db: "", collection: "" }, actions: [ "viewRole", "viewUser" ]}, 
resource: { "cluster" : true }, actions: [ "getCmdLineOpts" ]}, 
resource: { db: "admin", collection: "system.users" }, actions: [ "find" ]}, 
resource: { db: "admin", collection: "system.roles" }, actions: [ "find" ]} 
l; 
roles: [] 


2) Create a User Account 


This script creates a user account to be used for scanning. Please provide a password before 
running the script. The script also grants the role created in Step 1 (qualys_Role) to the account. 


We recommend you create an account called qualys_scan and provide a password before 
running the script. 


use admin 
db.createUser ( 
{ 
user: "qualys_ scan", 
pwd: "<password>", 
roles: [ "qualys Role"] 


) 


If a user identified by its X509 subject is created for scanning, please grant the role created in 
Step 1 (qualys_Role) to the user account. 


3) Verify Privileges on the Scan Account 


Verify that the qualys_scan account has all the privileges in the admin database to runa 
successful compliance scan. Log into the instance using the “qualys_scan” account, then run the 
following queries to see if access is available to the account. 


3a) 
use admin 


db. runCommand({getCmdLineOpts:1}) 


Sample Expected Output: 
{ 


"argv" : [ 
"/usr/bin/mongod", 
"--config", 
"/etc/mongodbl.conf" 
l; 
"parsed" : { 
"config" : "/etc/mongodb1.conf", 
"net" : { 


N 
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MDOLEN 5 27017 
} 
}, 


"security" : { 
"authorization" : "enabled" 
}, 
"storage" : { 
"dbPath" : "/usr/local/mongodbl1/data", 
"Journal" : { 
"enabled" : true 
} 
ly 
"systemLog" : { 
"destination" : "file", 
"logAppend" : true, 
"path" : "/var/log/mongodbl.log", 
"quiet" : false 
} 
}, 
W o k" mi 
} 
3b) 
use admin 
db.runCommand({"find":"system.users","filter":{},limit:1,"projection": {"user":1,"_ id": 
O}}) 
Sample Expected Output: 
{ 
"Corson -€ 4 
"firstBatch" : [ 
{ 
"user" : "qualys scan" 
} 
l; 
"id" : NumberLong (0), 
"ns" : "admin.system.users" 
}, 
" o k" 1 
} 
3c) 
use admin 
db.runCommand({"find":"system.roles","filter":{},limit:1,"projection":{"role":1,"_ id": 
O}}) 
Sample Expected Output: 
{ 
"eursor™ do 4 
"firstBatch" : [ 
{ 
"role" : "qualys Role" 
} 
l; 
"id" : NumberLong (0), 
"ns" : "admin.system.roles" 
hy 
Tok sod 


Did you get different results? Contact your MongoDB DBA to ensure that privileges are set up 
correctly. 
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MongoDB Authentication Records 


You'll need to create a separate authentication [Re USMS E ese V3 elec 


record for each MongoDB instance to be 
scanned. During scanning we’ll authenticate [E] | Search 
to one or more MongoDB instances on a host mn 
using all the MongoDB authentication records ~) humas) 
in your account. i Operating Systems... > -g 
l Network and Security... b | 
Agent Test | Applications.. > 10.115.76.151-10.115.76.152 
5 
Where do I create records? Global Defautt] Databases... >| moez == 
Go to Scans > Authentication > New > peers Vee. >| InformixDB 
Databases > MongoDB Record. System Record Templates.. p | MariaDB 
Global Default | 
Authentication Vaults | 
Global Default MS SQL 
Download... MySQL 
Agent Test Unix 1 aA 5 
Global Default Network Unix Oracle Listoner 
E] Global Default Network Oracle Pivotal Grecapiam 
PostgreSQL 
Global Default Network Oracle Steen 
Global Default Network Oracle Test Oracle Basic 
Your login credentials 
Local Authentication 
New MongoDB Record Launch Help 


Select Local 
Authentication 
credential type. Enter 
the login credentials Use the local authentication or choose to use external LDAP authentication for credential type. 
(user name, password) 
our service will use to 
login to Unix hosts at S aa pieced 


scan time. IPs Provide login credentials to use for authenticated scanning. Use the basic login credential or private key 
or choose to use authentication vault for authenticated scanning. 


ese i Login Credentials 


Target Configuration > Credential Type: @ Local authentication © External LDAP authentication 


Comments 


Authentication Type: Basic v 
Username”: jdoe 
Password": eeccccee 


Confirm Password": esesesed 
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External Authentication 


Select External LDAP New MongoDB Record Launch Help 
Authentication credential type. 

For external LDAP maois Login Credentials 

authentic ation, ‘Use clear text Use the local authentication or choose to use external LDAP authentication for credential type. 
password check-box which Target Configuration Credential Type: © Local authentication @ External LDAP authentication 


enables to send cleartext 
password over unencrypted 


Unie Configuration Use clear text password 


channel) ; i Authentication 
T o auth entic at ea M on goDB Comat s Pre oon reverts use! Ene ania Use the basic login credential or choose to 
server using an LDAP account, Authengeatin Woes zr z 


the password must be sent in 


Username”: jdoe 
the cleartext over the 
eae Password": secceees 
unencrypted channel. This 
Confirm Password": eeccccce 


cleartext password is then 
used by the MongoDB server to 
send a separate authentication request to the configured LDAP server. 

Enter the login credentials (user name, password) our service will use to login to Unix hosts at 
scan time. 
For External LDAP authentication, only basic and vault based authentication type is supported. 


Can I access a password ina New MongoDB Record 


vault? 
Record Title > Authentication 


Yes. We support integration with 
7 a Provide login credentials to use for authenticated scanning. You have the option to get the log 
multiple third party password account 


vaults. Go to Scans > Target Configuration > Authentication Type: Vault based 
Authentication > New > 


Authentication Vaults and tellus | = nemo me phe 

about your vault system. Then m g "me Ke — 
choose “Authentication Vault” in Vault Record” romps — 

your record and select your vault DaRi Cyber-Ark AIM 

name. At scan time, we'll Quest vault 
authenticate to hosts using the Aria — 
account name in your record and End Point Container": = 


the password we find in your 
vault. 


Using private keys 


For MongoDB authentication key authentication is supported. You can define private keys in 
MongoDB authentication records. 


What database information is 


ired? New MongoDB Record 
required? 


Tell us the database name to iayo -Target Configuration 
authentic ate to and the port the Login Credentials Tell us the user account to use for authentication, the database instance you want to au 
: : installed. 
database is running on (or use the 
arg onfiguration * 
default database name and port). |! Daiano iana 


Unix Configuration > 


> 


> 
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Should | use SSL? 


Using SSL provides a secure 
connection to your database. By 
selecting “SSL Verify”, and if your 
database server supports SSL, you 
will be requesting a SSL secured 
link. The server SSL certificate 
verification is also enforced. By 
default, this option is set to false. 


Your MongoDB configuration file 


It is essential, though not required, 
that you provide the location of 
the MongoDB configuration file 
within the authentication record. 
This file is required for certain 
checks. For Unix, this file helps us 
gather the information needed to 
provide the information you are 
looking for. 


Add IPs to the record 


Select the IP addresses for the 
MongoDB databases that the 
scanning engine should log into 
using the provided credentials. 


Last updated: May 27, 2022 
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New MongoDB Record Launch 


Record Title Target Configuration 


Tell us the user account to use for authentication, the database instance you want to authenticate to, and the port where the 


Login Credentials 
database is installed 


Target Configuration > 


Unix Configuration 


Database Name* admin 


27017 


Comments 


cone 
New MongoDB Record 
[EEE LAD Unix Configuration 
Login Credentials Enter the full path to the MongoDB configuration file on your Unix hosts. The file must be in the same locaj 
lf different, create another record. 
(Oe Configuration File: Jetc/mongodb.conf 
Unix Configuration » example: /etc/mongod.conf 
IPs 
Comments 
covet 


New MongoDB Record Launch 


Record Title IPs 
Login Credentials Add IPs to your MongoDB record. 
Target Configuration Enter or Select IPs/Ranges. Select IPs/Ranges | Select Asset Group | Remove | Clear 


Z 3 192.168.0.87-192.168.2.92 
Unix Configuration 


IPs > 


Comments 


! Display each IP/Range on new line 


Cancut 


